Professional Documents
Culture Documents
Sec Ddos Attack Prevn
Sec Ddos Attack Prevn
Attacks
The Protection Against Distributed Denial of Service Attacks feature provides protection from Denial of
Service (DoS) attacks at the global level (for all firewall sessions) and at the VPN routing and forwarding
(VRF) level. In Cisco IOS XE Release 3.4S and later releases, you can configure the aggressive aging of
firewall sessions, event rate monitoring of firewall sessions, the half-opened connections limit, and global
TCP SYN cookie protection to prevent distributed DoS attacks.
• Firewall drops due to basic firewall checks failure—This can include zone or zone-pair check failures,
or firewall policies configured with the drop action, and so on.
• Firewall drops due to Layer 4 inspection failure—This can include TCP inspections that have failed
because the first TCP packet is not a synchronization (SYN) packet.
• TCP SYN cookie attack—This can include counting the number of SYN packets that are dropped and
the number of SYN cookies that are sent as a spoofing attack.
The Event Rate Monitoring feature monitors the average rate and the burst rate of different events. Each event
type has a rate object that is controlled by an associated rate that has a configurable parameter set (the average
threshold, the burst threshold, and a time period). The time period is divided into time slots; each time slot is
1/30th of the time period.
The average rate is calculated for every event type. Each rate object holds 30 completed sampling values plus
one value to hold the current ongoing sampling period. The current sampling value replaces the oldest calculated
value and the average is recalculated. The average rate is calculated during every time period. If the average
rate exceeds the average threshold, the Event Rate Monitoring feature will consider this as a possible threat,
update the statistics, and inform the network administrator.
The burst rate is implemented by using the token bucket algorithm. For each time slot, the token bucket is
filled with tokens. For each event that occurs (of a specific event type), a token is removed from the bucket.
An empty bucket means that the burst threshold is reached, and the administrator receives an alarm through
the syslog or HSL. You can view the threat detection statistics and learn about possible threats to various
events in the zone from the output of the show policy-firewall stats zone command.
You must first enable basic threat detection by using the threat-detection basic-threat command. Once basic
threat detection is configured, you can configure the threat detection rate. To configure the threat detection
rate, use the threat-detection rate command.
The following table describes the basic threat detection default settings that are applicable if the Event Rate
Monitoring feature is enabled.
Configuring a Firewall
In this task, you will do the following:
• Configure a firewall.
• Create a security source zone.
SUMMARY STEPS
1. enable
2. configure terminal
3. class-map type inspect match-any class-map-name
4. match protocol {icmp | tcp | udp}
5. exit
6. parameter-map type inspect global
7. redundancy
8. exit
9. policy-map type inspect policy-map-name
10. class type inspect class-map-name
11. inspect
12. exit
13. class class-default
14. drop
15. exit
16. exit
17. zone security security-zone-name
18. exit
19. zone security security-zone-name
20. exit
21. zone-pair security zone-pair-name source source-zone destination destination-zone
22. service-policy type inspect policy-map-name
23. exit
24. interface type number
25. ip address ip-address mask
26. encapsulation dot1q vlan-id
27. zone-member security security-zone-name
28. end
29. To attach a zone to another interface, repeat Steps 21 to 25.
DETAILED STEPS
Example:
Device# configure terminal
Step 3 class-map type inspect match-any class-map-name Creates an application-specific inspect type class map and enters
QoS class-map configuration mode.
Example:
Device(config)# class-map type inspect
match-any ddos-class
Step 4 match protocol {icmp | tcp | udp} Configures the match criterion for a class map based on the
specified protocol.
Example:
Device(config-cmap)# match protocol tcp
Step 5 exit Exits QoS class-map configuration mode and enters global
configuration mode.
Example:
Device(config-cmap)# exit
Step 6 parameter-map type inspect global Defines a global inspect parameter map and enters
parameter-map type inspect configuration mode.
Example:
Device(config)# parameter-map type inspect
global
Example:
Device(config-profile)# redundancy
Step 8 exit Exits parameter-map type inspect configuration mode and enters
global configuration mode.
Example:
Device(config-profile)# exit
Step 9 policy-map type inspect policy-map-name Creates a protocol-specific inspect type policy map and enters
QoS policy-map configuration mode.
Example:
Device(config)# policy-map type inspect
ddos-fw
Example:
Device(config-pmap-c)# inspect
Step 12 exit Exits QoS policy-map class configuration mode and enters QoS
policy-map configuration mode.
Example:
Device(config-pmap-c)# exit
Step 14 drop Allows traffic to pass between two interfaces in the same zone.
Example:
Device(config-pmap-c)# drop
Step 15 exit Exits QoS policy-map class configuration mode and enters QoS
policy-map configuration mode.
Example:
Device(config-pmap-c)# exit
Step 16 exit Exits QoS policy-map configuration mode and enters global
configuration mode.
Example:
Device(config-pmap)# exit
Step 17 zone security security-zone-name Creates a security zone and enters security zone configuration
mode.
Example: • You need two security zones to create a zone pair—a
Device(config)# zone security private
source and a destination zone.
Step 18 exit Exits security zone configuration mode and enters global
configuration mode.
Example:
Device(config-sec-zone)# exit
Step 20 exit Exits security zone configuration mode and enters global
configuration mode.
Example:
Device(config-sec-zone)# exit
Step 21 zone-pair security zone-pair-name source Creates a zone pair and enters security zone-pair configuration
source-zone destination destination-zone mode.
Example:
Device(config)# zone-pair security
private2public source private destination
public
Step 22 service-policy type inspect policy-map-name Attaches a policy map to a top-level policy map.
Example:
Device(config-sec-zone-pair)# service-policy
type inspect ddos-fw
Step 23 exit Exits security zone-pair configuration mode and enters global
configuration mode.
Example:
Device(config-sec-zone-pair)# exit
Step 24 interface type number Configures an interface and enters subinterface configuration
mode.
Example:
Device(config)# interface gigabitethernet
0/1/0.1
Example:
Device(config-subif)# ip address 10.1.1.1
255.255.255.0
Step 26 encapsulation dot1q vlan-id Sets the encapsulation method used by the interface.
Example:
Device(config-subif)# encapsulation dot1q
2
SUMMARY STEPS
1. enable
2. configure terminal
3. Enter one of the following commands:
• parameter-map type inspect-global
• parameter-map type inspect global
4. per-box max-incomplete number aggressive-aging high {value low value | percent percent low percent
percent}
5. per-box aggressive-aging high {value low value | percent percent low percent percent}
6. exit
7. parameter-map type inspect parameter-map-name
8. tcp synwait-time seconds [ageout-time seconds]
9. end
10. show policy-firewall stats global
DETAILED STEPS
Example:
Device# configure terminal
Step 3 Enter one of the following commands: Configures a global parameter map for connecting thresholds and
timeouts and enters parameter-map type inspect configuration mode.
• parameter-map type inspect-global
• Based on your release, the parameter-map type
• parameter-map type inspect global
inspect-global and the parameter-map type inspect global
commands are supported. You cannot configure both these
commands together.
Example:
Device(config)# parameter-map type • Skip Steps 4 and 5 if you configure the parameter-map type
inspect-global inspect-global command.
Device(config)# parameter-map type inspect
global
Note If you configure the parameter-map type inspect-global
command, per-box configurations are not supported
because, by default, all per-box configurations apply to all
firewall sessions.
Example:
Device(config-profile)# per-box
max-incomplete 2000 aggressive-aging high
1500 low 1200
Step 5 per-box aggressive-aging high {value low value Configures the aggressive aging limit of total sessions.
| percent percent low percent percent}
Example:
Device(config-profile)# per-box
aggressive-aging high 1700 low 1300
Step 6 exit Exits parameter-map type inspect configuration mode and enters
global configuration mode.
Example:
Device(config-profile)# exit
Step 7 parameter-map type inspect Configures an inspect-type parameter map for connecting thresholds,
parameter-map-name timeouts, and other parameters pertaining to the inspect action and
enters parameter-map type inspect configuration mode.
Example:
Device(config)# parameter-map type inspect
pmap1
Step 8 tcp synwait-time seconds [ageout-time seconds] Specifies how long the software will wait for a TCP session to reach
the established state before dropping the session.
Example: • After aggressive aging is enabled, the SYN wait timer of the
Device(config-profile)# tcp synwait-time
30 ageout-time 10 oldest TCP connections are reset from the default to the
configured ageout time. In this example, instead of waiting
for 30 seconds for connections to timeout, the timeout of the
oldest TCP connections are set to 10 seconds. Aggressive aging
is disabled when the connections drop below the low
watermark.
Step 9 end Exits parameter-map type inspect configuration mode and enters
privileged EXEC mode.
Example:
Device(config-profile)# end
Step 10 show policy-firewall stats global Displays global firewall statistics information.
Example:
Device# show policy-firewall stats global
SUMMARY STEPS
1. enable
2. configure terminal
3. Enters one of the following commands:
• parameter-map type inspect-global
• parameter-map type inspect global
4. max-incomplete number aggressive-aging high {value low value | percent percent low percent percent}
5. session total number [aggressive-aging high {value low value | percent percent low percent percent}]
6. exit
7. parameter-map type inspect parameter-map-name
8. tcp synwait-time seconds [ageout-time seconds]
9. end
10. show policy-firewall stats vrf global
DETAILED STEPS
Example:
Device# configure terminal
Step 3 Enters one of the following commands: Configures a global parameter map for connecting thresholds and
timeouts and enters parameter-map type inspect configuration mode.
• parameter-map type inspect-global
• Based on your release, the parameter-map type
• parameter-map type inspect global
inspect-global and the parameter-map type inspect global
commands are supported. You cannot configure both these
commands together.
Example:
Device(config)# parameter-map type • Skip Step 5 if you configure the parameter-map type
inspect-global inspect-global command.
Device(config)# parameter-map type inspect
global
Step 4 max-incomplete number aggressive-aging high Configures the maximum limit and the aggressive aging limit of
{value low value | percent percent low percent half-opened firewall sessions.
percent}
Example:
Device(config-profile)# max-incomplete 3455
aggressive-aging high 2345 low 2255
Step 5 session total number [aggressive-aging high Configures the total limit and the aggressive aging limit for total
{value low value | percent percent low percent firewall sessions.
percent}]
Example:
Device(config-profile)# session total 1000
aggressive-aging high percent 80 low
percent 60
Step 6 exit Exits parameter-map type inspect configuration mode and enters
global configuration mode.
Example:
Device(config-profile)# exit
Step 7 parameter-map type inspect parameter-map-name Configures an inspect-type parameter map for connecting thresholds,
timeouts, and other parameters pertaining to the inspect action and
Example: enters parameter-map type inspect configuration mode.
Device(config)# parameter-map type inspect
pmap1
Step 8 tcp synwait-time seconds [ageout-time seconds] Specifies how long the software will wait for a TCP session to reach
the established state before dropping the session.
Example: • After aggressive aging is enabled, the SYN wait timer of the
Device(config-profile)# tcp synwait-time
30 ageout-time 10 oldest TCP connections are reset from the default to the
configured ageout time. In this example, instead of waiting
for 30 seconds for connections to timeout, the timeout of the
oldest TCP connections are set to 10 seconds. Aggressive
aging is disabled when the connections drop below the low
watermark.
Step 9 end Exits parameter-map type inspect configuration mode and enters
privileged EXEC mode.
Example:
Device(config-profile)# end
Example:
Device# show policy-firewall stats vrf
global
SUMMARY STEPS
1. enable
2. configure terminal
3. Enter one of the following commands:
• parameter-map type inspect-global
• parameter-map type inspect global
DETAILED STEPS
Example:
Device# configure terminal
Step 3 Enter one of the following commands: Configures a global parameter map and enters parameter-map type
inspect configuration mode.
• parameter-map type inspect-global
• Based on your release, the parameter-map type inspect-global
• parameter-map type inspect global
and the parameter-map type inspect global commands are
supported. You cannot configure both these commands together.
Step 4 vrf vrf-name inspect vrf-pmap-name Binds a VRF with a parameter map.
Example:
Device(config-profile)# vrf vrf1 inspect
vrf1-pmap
Step 5 exit Exits parameter-map type inspect configuration mode and enters
global configuration mode.
Example:
Device(config-profile)# exit
Step 6 parameter-map type inspect Configures an inspect-type parameter map for connecting thresholds,
parameter-map-name timeouts, and other parameters pertaining to the inspect action and
enters parameter-map type inspect configuration mode.
Example:
Device(config)# parameter-map type
inspect pmap1
Step 7 tcp idle-time seconds [ageout-time seconds] Configures the timeout for idle TCP sessions and the aggressive
aging-out time for TCP sessions.
Example: • You can also configure the tcp finwait-time command to
Device(config-profile)# tcp idle-time
3000 ageout-time 100 specify how long a TCP session will be managed after the
firewall detects a finish (FIN) exchange, or you can configure
the tcp synwait-time command to specify how long the
software will wait for a TCP session to reach the established
state before dropping the session.
Step 9 exit Exits parameter-map type inspect configuration mode and enters
global configuration mode.
Example:
Device(config-profile)# exit
Step 10 policy-map type inspect policy-map-name Creates a protocol-specific inspect type policy map and enters QoS
policy-map configuration mode.
Example:
Device(config)# policy-map type inspect
ddos-fw
Step 11 class type inspect match-any class-map-name Specifies the traffic class on which an action is to be performed and
enters QoS policy-map class configuration mode.
Example:
Device(config-pmap)# class type inspect
match-any ddos-class
Step 12 inspect parameter-map-name Enables stateful packet inspection for the parameter map.
Example:
Device(config-pmap-c)# inspect pmap1
Step 13 end Exits QoS policy-map class configuration mode and enters privileged
EXEC mode.
Example:
Device(config-pmap-c)# end
Step 14 show policy-firewall stats vrf vrf-pmap-name Displays VRF-level policy firewall statistics.
Example:
Device# show policy-firewall stats vrf
vrf1-pmap
Example
The following is sample output from the show policy-firewall stats vrf vrf1-pmap command:
Device# show policy-firewall stats vrf vrf1-pmap
Half Open
Protocol Session Cnt Exceed
-------- ----------- ------
All 0 0
UDP 0 0
ICMP 0 0
TCP 0 0
SUMMARY STEPS
1. enable
2. configure terminal
3. ip vrf vrf-name
4. rd route-distinguisher
5. route-target export route-target-ext-community
6. route-target import route-target-ext-community
7. exit
8. parameter-map type inspect-vrf vrf-pmap-name
9. max-incomplete number aggressive-aging high {value low value | percent percent low percent percent}
10. session total number [aggressive-aging {high value low value | percent percent low percent percent}]
11. alert on
12. exit
13. Enter one of the following commands:
• parameter-map type inspect-global
• parameter-map type inspect global
DETAILED STEPS
Example:
Device# configure terminal
Step 3 ip vrf vrf-name Defines a VRF instance and enters VRF configuration mode.
Example:
Device(config)# ip vrf ddos-vrf1
Example:
Device(config-vrf)# rd 100:2
Step 5 route-target export route-target-ext-community Creates a route-target extended community and exports the
routing information to the target VPN extended community.
Example:
Device(config-vrf)# route-target export 100:2
Step 6 route-target import route-target-ext-community Creates a route-target extended community and imports routing
information from the target VPN extended community.
Example:
Device(config-vrf)# route-target import 100:2
Step 7 exit Exits VRF configuration mode and enters global configuration
mode.
Example:
Device(config-vrf)# exit
Step 8 parameter-map type inspect-vrf vrf-pmap-name Configures an inspect VRF-type parameter map and enters
parameter-map type inspect configuration mode.
Example:
Device(config)# parameter-map type
inspect-vrf vrf1-pmap
Step 9 max-incomplete number aggressive-aging high Configures the maximum limit and the aggressive aging limit
{value low value | percent percent low percent for half-opened sessions.
percent}
Example:
Device(config-profile)# max-incomplete 2000
aggressive-aging high 1500 low 1200
Step 11 alert on Enables the console display of stateful packet inspection alert
messages.
Example:
Device(config-profile)# alert on
Step 12 exit Exits parameter-map type inspect configuration mode and enters
global configuration mode.
Example:
Device(config-profile)# exit
Step 13 Enter one of the following commands: Configures a global parameter map and enters parameter-map
type inspect configuration mode.
• parameter-map type inspect-global
• Based on your release, the parameter-map type
• parameter-map type inspect global
inspect-global and the parameter-map type inspect
global commands are supported. You cannot configure
both these commands together.
Example:
Device(config)# parameter-map type • Skip Step 14 if you configure the parameter-map type
inspect-global inspect-global command.
Device(config)# parameter-map type inspect
global
Note If you configure the parameter-map type
inspect-global command, per-box configurations are
not supported because, by default, all per-box
configurations apply to all firewall sessions.
Step 14 vrf vrf-name inspect vrf-pmap-name Binds a VRF with a parameter map.
Example:
Device(config-profile)# vrf vrf1 inspect
vrf1-pmap
Step 15 exit Exits parameter-map type inspect configuration mode and enters
global configuration mode.
Example:
Device(config-profile)# exit
Step 16 parameter-map type inspect parameter-map-name Configures an inspect-type parameter map for connecting
thresholds, timeouts, and other parameters pertaining to the
Example: inspect action and enters parameter-map type inspect
Device(config)# parameter-map type inspect configuration mode.
pmap1
Step 18 tcp synwait-time seconds [ageout-time seconds] Specifies how long the software will wait for a TCP session to
reach the established state before dropping the session.
Example: • When aggressive aging is enabled, the SYN wait timer of
Device(config-profile)# tcp synwait-time 30
ageout-time 10 the oldest TCP connections are reset from the default to
the configured ageout time. In this example, instead of
waiting for 30 seconds for connections to timeout, the
timeout of the oldest TCP connections are set to 10
seconds. Aggressive aging is disabled when the
connections drop below the low watermark.
Step 19 exit Exits parameter-map type inspect configuration mode and enters
global configuration mode.
Example:
Device(config-profile)# exit
Step 20 policy-map type inspect policy-map-name Creates a protocol-specific inspect type policy map and enters
QoS policy-map configuration mode.
Example:
Device(config)# policy-map type inspect
ddos-fw
Step 21 class type inspect match-any class-map-name Specifies the traffic (class) on which an action is to be performed
and enters QoS policy-map class configuration mode.
Example:
Device(config-pmap)# class type inspect
match-any ddos-class
Step 22 inspect parameter-map-name Enables stateful packet inspection for the parameter map.
Example:
Device(config-pmap-c)# inspect pmap1
Step 23 end Exits QoS policy-map class configuration mode and enters
privileged EXEC mode.
Example:
Device(config-pmap-c)# end
Step 24 show policy-firewall stats vrf vrf-pmap-name Displays VRF-level policy firewall statistics.
Example:
Device# show policy-firewall stats vrf
vrf1-pmap
Example
The following is sample output from the show policy-firewall stats vrf vrf1-pmap command:
Device# show policy-firewall stats vrf vrf1-pmap
Half Open
Protocol Session Cnt Exceed
-------- ----------- ------
All 0 0
UDP 0 0
ICMP 0 0
TCP 0 0
1. enable
2. configure terminal
3. parameter-map type inspect-zone zone-pmap-name
4. alert on
5. threat-detection basic-threat
6. threat-detection rate fw-drop average-time-frame seconds average-threshold packets-per-second
burst-threshold packets-per-second
7. threat-detection rate inspect-drop average-time-frame seconds average-threshold packets-per-second
burst-threshold packets-per-second
8. threat-detection rate syn-attack average-time-frame seconds average-threshold packets-per-second
burst-threshold packets-per-second
9. exit
10. zone security security-zone-name
11. protection parameter-map-name
12. exit
13. zone-pair security zone-pair-name source source-zone destination destination-zone
14. end
15. show policy-firewall stats zone
DETAILED STEPS
Example:
Device# configure terminal
Step 3 parameter-map type inspect-zone zone-pmap-name Configures an inspect-zone parameter map and enters
parameter-map type inspect configuration mode.
Example:
Device(config)# parameter-map type inspect-zone
zone-pmap1
Example:
Device(config-profile)# threat-detection
basic-threat
Step 6 threat-detection rate fw-drop average-time-frame seconds Configures the threat detection rate for firewall drop
average-threshold packets-per-second burst-threshold events.
packets-per-second
• You must configure the threat-detection
basic-threat command before you configure the
Example: threat-detection rate command.
Device(config-profile)# threat-detection rate
fw-drop average-time-frame 600 average-threshold
100 burst-threshold 100
Step 7 threat-detection rate inspect-drop average-time-frame Configures the threat detection rate for firewall
seconds average-threshold packets-per-second inspection-based drop events.
burst-threshold packets-per-second
Example:
Device(config-profile)# threat-detection rate
inspect-drop average-time-frame 600
average-threshold 100 burst-threshold 100
Example:
Device(config-profile)# threat-detection rate
syn-attack average-time-frame 600 average-threshold
100 burst-threshold 100
Step 10 zone security security-zone-name Creates a security zone and enters security zone
configuration mode.
Example:
Device(config)# zone security public
Step 11 protection parameter-map-name Attaches the inspect-zone parameter map to the zone
and applies the features configured in the inspect-zone
Example: parameter map to the zone.
Device(config-sec-zone)# protection zone-pmap1
Step 12 exit Exits security zone configuration mode and enters global
configuration mode.
Example:
Device(config-sec-zone)# exit
Step 13 zone-pair security zone-pair-name source source-zone Creates a zone pair and enters security zone-pair
destination destination-zone configuration mode.
Example:
Device(config)# zone-pair security private2public
source private destination public
Step 15 show policy-firewall stats zone Displays policy firewall statistics at the zone level.
Example:
Device# show policy-firewall stats zone
SUMMARY STEPS
1. enable
2. configure terminal
3. Enter one of the following commands:
• parameter-map type inspect-global
• parameter-map type inspect global
4. alert on
5. per-box max-incomplete number
6. session total number
7. end
8. show policy-firewall stats global
DETAILED STEPS
Example:
Device# configure terminal
Step 3 Enter one of the following commands: Configures a global parameter map for connecting thresholds and
timeouts and enters parameter-map type inspect configuration mode.
• parameter-map type inspect-global
• Based on your release, the parameter-map type
• parameter-map type inspect global
inspect-global and the parameter-map type inspect global
commands are supported. You cannot configure both these
commands together.
Example:
Device(config)# parameter-map type • Skip to Steps 5 and 6 if you configure the parameter-map
inspect-global type inspect-global command.
Device(config)# parameter-map type inspect
global
Note If you configure the parameter-map type inspect-global
command, per-box configurations are not supported
because, by default, all per-box configurations apply to
all firewall sessions.
Step 5 per-box max-incomplete number Configures the maximum number of half-opened connections for
the firewall session table.
Example:
Device(config-profile)# per-box
max-incomplete 12345
Step 6 session total number Configures the total session limit for the firewall session table.
Example:
Device(config-profile)# session total 34500
Step 7 end Exits parameter-map type inspect configuration mode and enters
privileged EXEC mode.
Example:
Device(config-profile)# end
Step 8 show policy-firewall stats global Displays global firewall statistics information.
Example:
Device# show policy-firewall stats global
1. enable
2. configure terminal
3. parameter-map type inspect-vrf vrf-name
4. alert on
5. max-incomplete number
6. session total number
7. exit
8. Enter one of the following commands:
• parameter-map type inspect-global
• parameter-map type inspect global
9. alert on
10. vrf vrf-name inspect vrf-pmap-name
11. end
12. show policy-firewall stats vrf vrf-pmap-name
DETAILED STEPS
Example:
Device# configure terminal
Step 3 parameter-map type inspect-vrf vrf-name Configures an inspect-VRF parameter map and enters
parameter-map type inspect configuration mode.
Example:
Device(config)# parameter-map type
inspect-vrf vrf1-pmap
Step 4 alert on Enables the console display of stateful packet inspection alert
messages.
Example:
Device(config-profile)# alert on
Step 6 session total number Configures the total session limit for a VRF.
Example:
Device(config-profile)# session total 34500
Step 7 exit Exits parameter-map type inspect configuration mode and enters
global configuration mode.
Example:
Device(config-profile)# exit
Step 8 Enter one of the following commands: Configures a global parameter map for connecting thresholds
and timeouts and enters parameter-map type inspect
• parameter-map type inspect-global configuration mode.
• parameter-map type inspect global
• Based on your release, you can use either the
parameter-map type inspect-global command or the
parameter-map type inspect global command. You
Example: cannot configure both these commands together.
Device(config)# parameter-map type
inspect-global • Skip Step 10 if you configure the parameter-map type
Device(config)# parameter-map type inspect
global inspect-global command.
Step 9 alert on Enables the console display of stateful packet inspection alert
messages.
Example:
Device(config-profile)# alert on
Step 10 vrf vrf-name inspect vrf-pmap-name Binds the VRF to the global parameter map.
Example:
Device(config-profile)# vrf vrf1 inspect
vrf1-pmap
Step 11 end Exits parameter-map type inspect configuration mode and enters
privileged EXEC mode.
Example:
Device(config-profile)# end
Example:
Device# show policy-firewall stats vrf
vrf1-pmap
1. enable
2. configure terminal
3. Enter one of the following commands:
• parameter-map type inspect-global
• parameter-map type inspect global
4. alert on
5. per-box tcp syn-flood limit number
6. end
7. show policy-firewall stats vrf global
DETAILED STEPS
Example:
Device# configure terminal
Step 3 Enter one of the following commands: Configures a global parameter map and enters parameter-map type
inspect configuration mode.
• parameter-map type inspect-global
• Based on your release, you can configure either the
• parameter-map type inspect global
parameter-map type inspect-global command or the
parameter-map type inspect global command. You cannot
configure both these commands together.
Step 4 alert on Enables the console display of stateful packet inspection alert
messages.
Example:
Device(config-profile)# alert on
Step 5 per-box tcp syn-flood limit number Limits the number of TCP half-opened sessions that trigger SYN
cookie processing for new SYN packets.
Example:
Device(config-profile)# per-box tcp
syn-flood limit 500
Step 6 end Exits parameter-map type inspect configuration mode and enters
privileged EXEC mode.
Example:
Device(config-profile)# end
Step 7 show policy-firewall stats vrf global (Optional) Displays the status of the global VRF firewall policy.
• The command output also displays how many TCP half-opened
Example: sessions are present.
Device# show policy-firewall stats vrf
global
Example
The following is sample output from the show policy-firewall stats vrf global command:
Device# show policy-firewall stats vrf global
Firewall TCP SYN cookie Configuring Firewall TCP SYN Cookie feature
Technical Assistance
Description Link
The Cisco Support and Documentation website http://www.cisco.com/cisco/web/support/index.html
provides online resources to download documentation,
software, and tools. Use these resources to install and
configure the software and to troubleshoot and resolve
technical issues with Cisco products and technologies.
Access to most tools on the Cisco Support and
Documentation website requires a Cisco.com user ID
and password.
Table 2: Feature Information for Protection Against Distributed Denial of Service Attacks